--On Friday, 17 August, 2007 16:18 -0700 SM <sm(_at_)resistor(_dot_)net>
wrote:
...
message and not the transport. If the primary concern is
communications between a financial institution with which the
user already has an account (or equivalent relationship) and
that user, we don't even have the usual PKI problems: one can
deliver a sender key or cert out of band, validate it, and be
finished.
There are ways to validate the sender the first time you
establish a contact. Once that is done, you can use it to
validate future communication you receive from that
correspondent.
Sure. As long as we all understand that there are tradeoffs
associated with each of these. End-to-end signatures require
that both sender and recipient be able to manage keys (directly
or indirectly), but do not depend on every actor in the
transport chain being trustworthy, trusted, and willing to play.
Used carefully, they are also insensitive to forwarding,
resending, and mid-transport rerouting.
Hop-by-hop transport-based solutions appear to be easier to
deploy --although there are some concerns about transitivity of
trust relationships and the ability of large mail providers to
force the smaller ones out, among other things-- and they
generally work much better when there is a direct connection
between the originating MSA and the final deliver MTA than when
relays are involved. But they also tend to restrict services
somewhat.
For example, there is a long, and IMO desirable, history of
people setting up "stable addresses" via a friend or institution
-- addresses that can remain constant even though the actual
mail address and mail store provided by a vendor or ISP may
change over time. This reduces ISP or mail-provider lock-in and
seems like a good idea to many people. However, suppose the
user Joe Blogs, maintains a permanent address at
Joe(_dot_)Blogs(_at_)forwarder(_dot_)example(_dot_)com and has, this month, a
mailbox
at joebloggs123(_at_)hooya(_dot_)com(_dot_) Similarly J. Random Member has a
permanent mailbox at j(_dot_)random(_dot_)member(_at_)acm(_dot_)org but a mail
account
at jrm(_at_)postoffice(_dot_)example(_dot_)net(_dot_) While some workarounds
are
possible, it is not obvious mail is sent from
j(_dot_)random(_dot_)member(_at_)acm(_dot_)org to
Joe(_dot_)Bloggs(_at_)forwarder(_dot_)example(_dot_)com
given that the message originates from the domain and address
space of postoffice.example.net, but that administration doesn't
know about, or have any relationship to, acm.org and hooya.com
doesn't have any information about routings via
forwarder.example.com. Maybe we have to give that up --and
give in to the desire of those who run the large email services
to advertise themselves and lock users in -- but, from my point
of view, the techniques better have very high leverage on spam
and criminal enterprises in order to justify that. Otherwise,
we just reduce the capabilities and attractiveness of the mail
system and increase the burdens on legitimate senders and
receivers without accomplishing much. And, to me, that feels a
bit too much like just helping the bad guys win.
john
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf